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ABSTRACT 


Factorization and primality testing have blossomed in recent decades. This an- 
cient factoring problem has a very important application in our modern society. The 
security of information transmission over the internet is dependent on the difficulty of 
factoring large numbers. Therefore this subject has become of great interest to govern- 
ment, business and those who are concerned with the secure transmission of information. 

This paper reviews different methods of factoring. The focus will be on the 
two most efficient algorithms which are the Quadratic Sieve and Number Field Sieve. 
Background information such as definitions and theorems are given to help understand 
the concepts behind each method. Several examples are also given to help to illustrate 


the factorization process. 
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Chapter 1 


Introduction 


The concept of prime numbers is quite old. It was first extensively studied by 
the ancient Greek mathematicians as early as 500 BC. By the time Euclid wrote the 
Elements in 300 BC, the concept of factorization of a composite number already existed. 
It is surprising that such an ancient topic has a very important application in our modern 
age. It is the RSA public key crypto-system that I am talking about. The name “RSA” 
comes from the initials of the originators, R.L. Rivest, A. Shamir and L.M. Adelman. 
RSA is one of many methods of encryption used to transmit secure information. It is 
based on Euler’s Theorem. The security of this method relies on the tremendous difficulty 
of factoring very large numbers. 

The RSA encryption process starts with two distinct large primes p and g and 
their product n = pq. Let e be an integer that it is relatively prime to @(n) where ¢(7n) is 
the Euler phi-function. From number theory we know there exists a unique d mod ¢{n) 
such that e x d= 1 mod ¢(n). The number e is called the encryption exponent while d is 
the decryption exponent. Only n and e are made available to the public, in particular to 
the sender. While the receiver is the one that created n from p and gq, d from e through 
ex d=1 mod ¢(n). The receiver will use the private key d to retrieve the message. 

Before a message is sent out, it is first converted to a number. Suppose each 
letter is assigned to a number, then a string of letters will be replaced with a string 
of numbers. To make a string of numbers easy to handle, it is neccessary to keep the 
numbers in blocks. Each block is then converted to a single number. Let M<nbea 


numerical version of the message block; it should be chosen relatively prime to n. The 


sender uses n and e to encrypt the number Af. Let & be the encrypted version of the 
message, defined by: 
E = M*(mod n) 


To decode the message, one simply computes E% (mod n). To see how this 
works, we first recall Euler’s theorem that says if M and n are relatively prime positive 


integers then M o(") = 1 mod n. The original message M is then recovered by: 


E¢ = (M°)¢ = Met = M1+8@) = Mf x (Me) = M x 1(mod n). 


Notice that the private key dis needed above to reveal M . Since e x d = 1 
mod ¢(n), d is just the multiplicative inverse of e modulo ¢(n) provided ¢(7) is known. 
Because ¢(n) = (p—1) x (g—1), @(n) can be calculated easily if p and g are known. The 
problem of decrypting the message therefore boils down to the factorization of n. The 
numbers p and q are chosen to be so large that modern methods cannot factor n = pq 
in a reasonable amount of time. Tf an adversary were able to factor n, then the system 
would be broken. 

In chapters 2 and 3, we look at different methods of factorization which include 
Trial Division, Fermat’s algorithm, Pollard’s Rho method, Pollard’s p—1 method, Dixon’s 
algorithm, Quadractic Sieve and General Number Field Sieve. 


Chapter 2 


Different Methods of Factorization 


2.1 Definitions and Theorems 


We start out this chapter with some of the definitions and theorems that we are 
going to use repeatly throughout this paper. The following definitions and theorems can 
be found in the Elementary Number Theory book by James K. Strayer. 


Definition 2.1. A positive integer is said to be y-smooth if it does not have any prime 


factor exceeding y. 


Definition 2.2. Letn € Z with n > 0. The Euler phi-function, denoted ¢(n), is the 
function defined by 


o(n) =| {2 €Z:1<4<n;gcd(x,n) =1}|, where| | denotes cardinality. 
Definition 2.3. Let x €.R with x >0. Then a(x) is the function defined by 
n(x) =|{p: pis prime; 1l<p<a}|. 


Definition 2.4. Let p be an odd prime number and let a € Z with p{ a. The Legendre 
symbol, denoted (8), is 1 if a is a quadratic residue modulo p. That is, if x2 = a(mod p) 


for somex GZ. Otherwise, it is —1 if a is a quadratic nonresidue modulo p. 


Theorem 1. (Fermat’s Little Theorem) 
If p is an odd prime then 
2P-1 = 1(mod p). 


Theorem 2. (General Form of Fermat’s Theorem) ~ 


If p is a prime which does not divide b, then 
bP! = 1(mod p). 


Theorem 3. (EFuler’s Theorem) 
Let am € Z with m> 0. If gcd(a,m)=1, then 


ab) = 1(mod n). 


Theorem 4. (Euler’s Criterion) 


Let p be an odd prime number and let a € Z with pt a. Then 
() = g@-1)/2 (mod p). 


Theorem 5. (Prime Number Theorem) 


For large x, the quantity a{e)ing = 1 is close to 1. That is to say the quantity n(x) may 
be approximated by ;2. 
Theorem 6. (Chinese Remainder Theorem) 
Let po,:>: ,pi-1_ be positive, pairwise coprime moduli with product P = Wes m. Let 
li respective residues x; also be given. Then the system comprising the | relations and 
inequality 

2=aj(mod pi),0<z2<P 


has a unique solution. Furthermore, this solution is given explicitly by the least nonneg- 


ative residue modulo P of 


i-1 
So aiaiPi, 


#=0 
where P; = P/p;, and the a; are inverses defined by a;P; = 1(med p;). 


2.2 Trial Division 


Trial division is our first and simplest method for factoring an integer. Let n be 


the number to be factored. Trial division is based on the fact that if n has‘a factor other 


than 1 and itself, then n must have a factor less than ,/n. We start out with a list of 
primes less than or equal to ,/n and try to divide them into n repeatedly. If none of the 
primes in the list divides into n evenly, then n is a prime. Otherwise, each time a prime 
divides n, we replace n by its quotient with that prime. Once we reach the point where 
the remaining unfactored portion is less than the square of the prime that we last used, 
then the unfactored portion is a prime, or else it is 1. In either case the factorization is 
complete. 

For example, let n = 3948,./n = 62. We are going to start out with 2. Since 
2 is a factor of n, we divide 2 out and the quotient is 1974. We realize that 2 still goes 
into n. We divide by 2 again and we have the quotient 987. Since 2 doesn’t go into 
the remaining unfactored portion, we try the next prime 3. We divide 987 by 3 and the 
quotient is 329. Continuing in the same manner we find the next prime factor that goes 
into the remaining portion is 7 and the quotient is 47. Realizing that 47 < 77, then 47 
must be a prime. Therefore n = 2” x 3 x 7 x 47. 

In this method, all trial divisors do not have to be primes. Here is an example. 
Let n = 774 be the number to be factored. We trial divide by 2 and realize it is a divisor. 
Divide 2 into n and the quotient is 387. Since 2 does not go into the remaining unfactored 
portion, we try the next number which is 3. Divide 3 into 387 and the quotient is 129. 
The factor 3 goes into 129 one more time and the quotient is 43. This time we just divide 
4, 5, 6-++ consecutively into n without worrying whether they are primes. We see that 
6 does not go into n evenly just simply means that prime factors of 6, which is 2 and 3 
are already factored out of n previously. So dividing by 6 is a waste of time but it saves 
us from checking whether 6 is prime or not. The next trial is 7 and 7% > 43, so therefore 
43 is a prime. We have the complete factorization 774 = 2 x 3? x 43. This version may 
take longer but it does end up with the factorization of n and is easier to apply. Since all 
the primes are odd except 2, we could compromise using 2 and all the odd numbers for 
trial divisors to speed up the process. 

Trial division can be used for factoring or primality testing provided the number 
n is not too large. With a modern workstation, a number from 13-19 digits base 10 can 
be factored or proven to be a prime in less than one minute. Trial division can also be 
used to recognize smooth numbers. Recall that a number is said to be B-smooth if all of 


its primes in the factorization are jess than or equal to B. 


So how long does it take to factor a number n using trial division? The worst 
case is when n is a prime itself since we have to trial divide all ine up to /n. - we 
only use prime divisors then it would take approximately a(,/n) = re es ay = = 1 avn 


divisions, by the prime number theorem. If we only use 2 and all the odd numbers as 


trial divisors then it would take approximately ,/n/2 divisions. 


2.3  Fermat’s Algorithm 


Let 7 be the number to be factored. If n can be written in the form n = x? —y/?, 
then n can be immediately factored as (x+y)(z—y). If z—y > 1, then we have succeeded 
in factoring into two smaller factors. We notice that if n is odd and is also a product 
of two integers, then n can always be expressed as the difference of two perfect squares. 


To see this, let n = ab, where a,b are positive odd integers. Let 
a= (a+b)/2 and y = (a—5)/2. 


Then x? — y? = euiel ea = ab=n. Fermat’s algorithm starts with x from [,/n], 
[Yn] +1,... and checks whether 2? — n is a square, say y?. If that is the case, then 
g—y’=norn=(«t+y)(a—y). 

For example, let n = 551 be the number to be factored, [/551| = 24. We notice 
that 24? — 551 = 5% or (24+4.5)(24 — 5) = 551. Therefore 551 = 29 x 19. 

If a and 6 are primes, there will be a 50-50 chance that n will be factored. To 
see how this works we notice that with the above conditions, we have x” = y* (mod a) 
and z* = y? (mod b). Therefore a | x? — y? and 6 | x? — y*, equivalently a | (a — y) or 


ala+y. Also 6] (a—y) orb|a%+y. We have four cases to consider, 


Case 1: 
Ifa|e—yand b|2—y, thenn|ae—y. 


and gcd(n, x — y) = n. We do not have a factoring of n. 


Case 2: 
Ifa|z—y,ata+yand b|zt+y,b{z—-y, 


then gcd(n, 2 — y) = a. We have found a factor a of n. 


Case 3: 
Ifala+y,afz—yand b|x—y, b{xt+y, 
then gcd(n, x — y) = 6. We have found a factor b of n. 


Case 4: 
Ifela+y,atza—yand blat+y, bf{a—-y, 
then gced(n, x — y) = 1. We do not have a factoring of n. 


2.4 Pollard’s Rho Method 


The Pollard Rho factorization algorithm was introduced in 1975 [CP01]. It 
works well for numbers that have moderately sized prime divisors, around 10° to 10°. 
When the number to be factored has prime divisors that are too big for trial division, this 
method may be useful since it is easy to understand and does not take a lot of storage in 
the computer. Once all the prime divisors are bigger than 10!*, we have to rely on other 
methods like the Quadratic Sieve Algorithm, the General Number Field Sieve, etc. 

Let n be a composite integer that has a nontrivial divisor p. As an example, we 
let n = 1313. Consider a simple irreducible polynomial in 2, like f(a) = x*-+1. Starting 


with a random integer zp = 1, we can create a sequence from the recursive definition: 
xy = f(x;-1) mod n. 


We get the sequence 2; = 2,@2 = 5,23 = 26,24 = 677, 25 = 93, xg = 772, 27 = 1196, 2g = 
560, cg = 1107, cig = 421, 41 = 1800, 219 = 170, 213 = 15, 14 = 226, 215 = 1183,--- 

Since 7 is finite, there are only finite number of congruence classes modulo n. 
The above sequence will eventually have a repeat term and become cyclic. This behavior 
is therefore associated with the oval part of the Greek letter “p”, whereas the.the precyclic 
part is associated with the tail of the “p". According to the birthday paradox [CPO1], 
we expect to have a repeat term in approximately ./n steps, which is about the same as 
trial division. 

Here is a better way. Choose a factor p of n and denote y; = 2; mod p. If we 


knew p (for example, p = 13) we could create the y;’s as follows, where yji1 = f(y;)(mod 


P): yo = ly = 2,42 = 5,y3 = 0,44 = Lys = 2,46 = 5,47 = 0,48 = lyo = 2,410 = 
5, ya = 0--- 

Since there are less congruence classes in modulo 13, we see more repeated terms 
in the y;’s. It only takes 4 steps for the sequence to repeat this time. When y; = y;, then 
x; = 2;(mod p). Therefore p divides 2; — %;. Since p is also a factor of n, there is a good 
chance that gcd(n, x; — 2;) is a non-trivial divisor of n. However, since we do not know 
the factor p, we have no access to the y; sequence, therefore we have no idea when y; will 
equal to y;. Note that we do not need to know the values of y; and yj;, we just need fo 
determine two indices 2, 7 where y; = y;. 

So how do we go about searching for pairs (i,j) such that y; = y; in order 
to compute gcd(n,%; — 23)? The first cycle-finding method is called the Floyd cycle- 
finding algorithm [CP01]. Suppose i < j. We notice that if y; = y;, then for m > i, 
Yn = VmtG—-d) = Ym+2G-)°°' = Yminy-a- Let m 2 i such that m is divisible by 
(j — i), SO Ym = Yom. The basic idea of the Pollard’s Rho method is that instead of 
searching for all pairs of (i, 7) and computing gcd(z;—x;, 7) , we will compute the sequence . 
ged(x; — £oi;,7) until something other than 1 or n is found. One of the advantages of 
this method is that very little space is required. We only need to keep in memory the 
number nm which is the number to be factored and the current pair «; and xvo;. Even 
though many z,;’s need to be calculated twice, it is much better than trying to store all 
the z;’s in an array. With this method, we are able to factor n = 1313 successfully by 
finding ged(xg — 4,7) = ged(560 — 677, 1313) = 13. Therefore 1313 = 13 x 101. 

Another form of a cycle-finding algorithm is due to R.P. Brent [Bre89]. As in 
the Floyd method, it does not store all the x; ’s but looks at the differences: x1 — rg, 23 — 
2g, %3 — £7,--- ,on-1 — 2; where (2%+1 — 99-1 < 5 < gmt] _ 11), 

This gives a systematic way of choosing a lot of pairs (i,j) to compute the 
gcd(x; ~ 2;,n) by using each difference j — i once and letting 1 — oo at the same time. 
With this method, we are able to factor n = 1313 successfully by finding gcd(23—27,n) = 
ged(1196 — 26,1313) = 13. Therefore 1313 = 13 x 101. 

In both the Brent and the Floyd method, we have to compute ged(x; — z;,7) 
many times to find a non-trivial divisor of n. We can save work by doing it in blocks. For 
example, we can compute ten successive values of (2; — 2;) mod nr and then take the gcd 


of n with that product. Sometimes the gcd will be n. If that is the case, we may have 


to go back to take the gcd of each factor individually with n in order to recover p. For 
example, |] (x; — 2;)(mod 1313)=0 with 1 <i < 15 and 3 < j < 26. The gcd of 1313 
with the product of these ten successive values of (x;—2;) will therefore be 1313. By going 
back to take the gcd of each factor with 1313, we are able to factor 1313 by using either 
ged(x3 —27,n) = ged(1196— 26, 1313) = 13 or ged(a7—- 215, n) = ged(1196 — 1183, 1313) = 
13. 


2.5 Pollard’s p-1 Method 


This algorithm was invented by John Pollard in 1974 and based on Fermat’s 
Little Theorem which says that if p is an odd prime, then 2?-! = 1(mod p). Therefore 
if p—1 is a factor of M, then we also have 2” = 1(mod p) due to Fermat’s Theorem. 
Equivalently p | 2“ —1. Let n be the integer to be factored and let p be one of its prime 
factors. We have p divides both n and 2” — 1. There is a good chance that n does not 
divide 2” — 1, in which case, gcd (2“ — 1,n) is a nontrivial factor of n. To speed up 
the computation, we can take gcd((2” — 1)mod n,n) instead of ged(2™ — 1,n). Since 
exponentiation modulo vn is very fast, this algorithm can find potential factors with great 
efficiency. Pollard’s idea is to choose M so that it has many factors that are 1 less than a 
prime number. The suggestion is to let M be the least common multiple of the integers 
up to B for some choice of B. Therefore M = lem(1, 2,---B)=|]{(p%) | p* < B}. 

For example, let n = 527 be the number to be factored, let B = 10. The least 
common multiple of the integers up to 10 is M(10) = 2? x 3? x 5 x 7. We want to 
compute ged (22°%8°%5*T (mod 527), 527). Unfortunately this gcd turns out to be 527. 
For many cases, we can increase the bound B. In this case it does not work because 
((22")3°)5 = 1 mod 527. The gcd in this case will always end up to be n no matter how 
high we increase the bound B. Notice that there is nothing special about the number 2 
in this method. The number 2 can just be replaced with any a such that it is relatively 
prime to n. This time we want to try a = 3, gcd (32°%3?x5X7 (mod 527), 527) = 31. 
Therefore 527 = 31 x 17. 

We notice from the above axample that this method sometimes fails to give 
nontrivial factor of n. The ged(a™ — 1(mod n),n) sometimes yields 1 or n. In practice, 
the situation that happens more often is that the gcd ( a” — 1(mod n),n) = 1 and we 
usually deal with it by expanding the bound B and applying an extension called the 


10 


second stage. Let B’ be the second bound, bigger than B. Let all the primes in (B, B’| 
be Qi < Q2 < ---. Previously we use the exponents M(B). We now continue with 
all the exponents of the form QM(B) with Q € (B, B’]. Notice that QM(B) | M(B’). 
Therefore what we are doing here is not the same as raising bound B to B’ and trying to 
compute ged (a (2) _ 1(mod n), n) as above. What we are doing now is trying to retrieve 
more factors p of n with p— 1 of the form Qm where m is a factor of M(B). Notice that 
2% (mod n) is fairly easy to find by recursion. For example, after we find the initial value 
22:M(B) (mod n), 222™@() (mod n) can be found simply by multiplying 2:”@@) (mod n) 
with 2(@22-21)M(B) (mod n). Basicly it is inexpensive to do this additional stage since the 
differences of the Q; are much smaller than Q; themselves and all the 2(Q:—O:-1) M(B) can 
be precalculated. 

The two above algorithms, Pollard Rho and Pollard p—1, are called probabilistic 
algorithms. We are no longer sure that they will succeed. However, when they don’t 
succeed, we can often change parameters. It is an art to find the right parameter for 
these algorithms. For the Pollard Rho method, we can replace the function x? + 1 with 
any irreducible like x? + 2 or 2? -+3. We can vary the parameter for the Pollard p—1 
method by changing the base a and the smoothness bound B or apply second stage as 


described above. 


2.6 Dixon’s Algorithm 


In the next two topics, we are going to focus on two methods that are considered 
the best for factoring much larger numbers. These two methods are the Quadratic Sieve 
and the Number Field Sieve. Before we go on to discuss the Quadratic Sieve, we are 
going to focus on a similar yet easier method called Dixon’s algorithm. It is based on 
Fermat’s idea that if we can find two random integers x and y such that 2? = y* (mod 
n) then we can often factor n by finding ged(x — y, n). 

Dixon’s Algorithm starts by letting f(a) = 2*(mod n). If we can find x such that 
f(x) = y? is a perfect square over the integers, then n may be factored since x? = y*(mod 
n). A perfect square f(x) will be achieved through the means of exponent vectors, which 


we will now describe. If f(x) is factored completely, then it has the form 


f(a) =p x py? x-++ x pee 


11 


We call (e1, €2,--- ,@m) the exponent vector of f(x). In the case that f(x) is a perfect 
square, all the e,’s will be even; usually most of them will be zero in any factorization of 
f(z). The idea is to force this to happen by multiplying different f(x)'s together. For 
example, if f(a,) = p* x p%? x --- x p&m, f(ae) =p? x pe xx pém then f(ayx2) = 
Ff (x1) F (x2) = pete x pete x... x pemtém_ Let u(x) denote the exponent vector (mod 2) 
where v(x) = (e1(mod 2), +++ em(mod 2)) if f(z) = f(x) = py x py? x--- x pom. Therefore 
f(xite) = f(xi)f (x2) is a square if and only if $° v(z;) has zero entries. 

Our plan is to choose a suitable smoothness bound 8, then find several f(z) 
that are B-smooth. We will record their exponent vectors v(z). Then we will do Gaussian 
elimination modulo 2 on these vectors to find a subset whose sum is zero. From a linear 
algebra perspective, our goal boils down to finding linear dependency of the vectors v(2). 
We know that a set of vectors must be linearly dependent when there are more of them 
than the dimension of the vector space. Therefore a sufficient condition for the existence 
of a product of f(a)’s to be square is having at least 7(B) + 1 entries of f(x) that are 
B-smooth. 

After we find a collection of v(#;) where the sum of their entries are zero (mod 
2), the product of corresponding f(2;)’s will be a perfect square. Combining the f(x;) 


we have: 
y? = f(a1) x f(ae) x +++ « flay) = 2? x 2 x +. x a? (mod n) 


or 
y? = (a 129 -++ 2x)? (mod n). 


Use Fermat’s method by computing gcd(y — (a1%2---2%),n) to figure out the 
factor of n. For example, let nm = 589 be the number to be factored and B = 10. We 
only want to keep the f(x) that factor into primes smaller than 10: f(20) = 2* x 5%, 
f(21) = 3? x 77, (24) = 26 x 37, (25) = 2? x 3%, f(27) = 22x 5x 7, f(29) = 2? x 3° x7, 
f (33) = 2? x 5, f(34) = 34 x 7. 

Right away we can see that f(24) x f(25) = (24 x 37)? is a perfect square. 
Therefore 19 = ged(24 x 25 — 24 x 3?, 589) is a factor of n = 589. Similarly we can pair 
f (34) with f(29) which gives us (2x3? x 7)”. Therefore 19 = gcd(34 x 29—2 x 33 x 7, 589). 

The problem with this method is finding B-smooth values of f(x). For a random 


x, the chance for f(x) to be factored completely over the factor base is small if n is 
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large. That is why the next method, the Quadratic Sieve, becomes an improvement of 
Dixon’s Algorithm. Nevertheless, for large enough values. of n, Dixon’s method beats 


Trial Division as well as the two Pollard methods. 


2.7 Quadractic Sieve 


As mentioned earlier, the Quadractic Sieve is associated with Dixon’s Algorithm 
but a sieving procedure is incorporated in the method in order to find a collection of f (a;) 
that are B-smooth. Unlike Dixon’s Algorithm that starts with a sequence of f(a;) = 2? 
(mod n), the Quadractic Sieve computes x? —n where 2 starts from the value [./n] in 
order to keep x? —n close to zero. The idea is that. the smaller the value of x? —n, the more 
likely that it will be smooth. The goal is to obtain a sequence of smooth numbers of the 


2», Then, as in Dixon’s Algorithm, we use linear algebra to find a subsequence 


2 


form x 


2 —n, 13? —n, «+242 — n where their product is a perfect square. Denote 


al 
[Ik (a:? — n) = a?, and J]f 2; (mod n)= 6, therefore a? = b?(mod n). If a # +b (mod n), 


we can find a factor of n by computing ged(a— b,n). The Quadratic Sieve has four steps: 


—n, %2Q 


initialization, sieving, linear algebra, factorization. 


2.7.1 Initialization 


In this step, we need to set up the factor base which involves deciding on the 
bound, B. If B is chosen to be small, we don’t have to find too many B-smooth values 
of z? — n in order to produce a subset product that is a square. In addition, the matrix 
for the linear algebra step discussed later will be small. But B-smooth values of 2? — n 
are so special that we have to search hard for even one entry. On the other hand, if B 
is chosen to be large, we will more easily find them. Remember that our goal is to find 
a sequence of x? — n that is B-smooth and combine them to create a square. Therefore 
finding B-smooth values of 2* —n may not be hard, but finding enough B-smooth values 
to find a dependency will be difficult. In addition, the matrix in the linear algebra step 
will be quite large. So it is a matter of balancing out these two conflicting forces. 

The factor base consists of primes p up to B. If p divides 2? —n then 22 =n 
(mod p). In other words, n is a quadratic residue. In this case, the Legendre symbol 


2) =1. There will be exactly 2! incongruent quadratic residues and the same amout 
p 2 
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for quadratic nonresidues for any prime p < B. We can use Euler’s Criterion to detect 


those primes that would make n a quadratic residue. 


Theorem 7. (Euler’s Criterion) 


Let p be an odd prime number and letn € Z with p{n. Then 
ny — ,(p-1)/2 
o =n (mod p) 


As an example, we are going to try to factor n = 18079 . Suppose we choose 
the smoothness bound B to be 40. The factor base would consist of 2, 3,5, 13,17, 23 since 
their Legendre symbols equal to 1. For example 5 belongs to the factor base since its 
Legendre symbol (3) = 180798-)/2(mod 5) = 1. Similarly, the rest of the primes smaller 
than B = 40 have (3) = —1. We also want to include —1 in the factor base since that 
allows us to choose z < /n and z?-n <0. 

As preparation for the sieving step, we need to figure out for what values of x 
does p | a? -- n. That is we need to solve the congruences z* = n mod p for all the p in 
the factor base. Since g(x) = x? — n may be divisible by p more than once, we will also 
solve x? =n mod p* . 

For the first prime 2 and the odd n, we realize that x? —n is divisible by 2 when 
z is odd. When n = 3 or 7 (mod 8) then x? —n is divisible by 2 but not divisible by any 
higher power of 2. When n = 5 (mod 8) then x — n is divisible by 4 but not divisible by 
8. When n = 1 (mod 8) then 8 | z?—n. Son = 1 (mod 8) is the most general case among 
the three and there is a way to convert the first two cases to the general one. For n = 5 
(mod 8) then multiply it with 5 to get 5n = 25 (mod 8) or 5n = 1 (mod 8). Similarly, if 
n = 3 (mod 8) then multiply it with 3, and if it is congruent to 7 then multiply it by 7. 

For p = 3 (mod 4) or p= 5 (mod 8), we can use the following theorem to solve 


for x. 
Theorem 8. Let n be a quadratic residue modulo the prime p. 
1. Ifp=4k +3, then a2 =n*t! (mod p). 
2. Ifp=8k +5 and n2*+! =1 (mod p), then x = n**1 (mod p). 


3. Ifp=8k+5 and n*+1 = —1 (mod p), then x = (4n)**1 x (244) (mod p). 
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The following theorem is slightly slower than Theorem 7 but it can be used for 


any odd prime. 


Theorem 9. Let n be a quadratic residue modulo an odd prime p and let h be chosen so 


that the Legendre symbol (42) is —1. Define a sequence v1, v2,--- by the recursion 
w=h 


vg = h? —2n 
uy = hx Yj-1 — 1 X Vj-2. 


Then we have 


Vai =v? _ Qn? 
and 
V1 = VX Vig —hx ne. 
The solution to congruence x” =n (mod p) is : x = rp41)/2 X (24+) (mod p). 


As mentioned earlier, we need to solve the congruences z* = n (mod p) for all 
p in the factor base. For example, we can use Theorem 7 to solve +? = 18079 (mod 13). 
Since p = 138 = 8k +5 with k = 1 and n**+! = 1807971+1 = 1(mod 13), then 2 = n**1 
(mod p)=18079+) (mod 13)= 3 (mod 13). 


2.7.2 Sieving 


The purpose of this step is to locate smooth values for x? — n as x changes. 
It works similar to the sieve of Eratosthenes. We are first going to review this sieve. 
Suppose we want to find all prime numbers less than or equal to certain bound X. By a 
lemma in number theory we know that if X is a composite number then X has a prime 
divisor less than or equal to VX. From a list of integers from 2 to X, we cross out all 
the multiples of all the primes up to VX but not the primes themselves. All the numbers 
that are left unmarked are primes. For the sieving step in Quadratic Sieve algorithm, we. 
are only interested in the marked numbers. What it means is the more marked a number, 
the more primes that number is divisible by. 

In order to locate the values of x such that x” —1n is divisible by p, we solve 


2 


the congruence z* — n = 0 (mod p) as mentioned in the previous section. Once we find 
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the first values of 2, 2 = 4, and 22 = p— 2, for which p | g(x), we can spot the other 
values of x with p | g(x) by simply adding p to the first locations. A simple computation 
can explain why we can add p’s value to the first g(a) that is divisible by p and the new 
entries g(x +p) are still divisible by p. We have xz” —n = 0 (mod p) or z?—n = kp. Then 
g(a +p) = (+p)? —n = 2? + 2ep+ p? —n = (2? — 2) + (2ap + p*) = kp + p(2z + p). 
So that g(x +-p) is divivible by p. 

From the above example we have z; = 3 is the first solution to the congruence 
x?—18079 = 0 (mod 13). Since z starts from |/18079| = 134, the first value for z?7—n = 0 
(mod 13) is 21 = 3+11-13 = 146, and the second value is 22 = 13-146 = —133 = 140(mod 
13). We have two paths to branch off starting from the initial solutions of the congruence 
g(x) = x” — n to find the remaining locations for the two residue classes. For x1 = 146, 
‘we have x? — 18079 = 0 (mod 13), and the next place that x? — 18079 is divisible by 13 
is g(146 + 13) = g(159) = 159? — 18079 = 0 (mod 13). Similarly, the next place that 
g(x) is divisible by 13 after the initial value x2 = 140 is g(140 + 13) = g(153). The same 
procedure is done for all the primes in the factor base. 

As mentioned earlier, we are interested only in g(x) entries that have a lot of 
marked primes, preferably small primes. The Quadratic Sieve helps to recognize smooth 
values of g(x) = x? —n. The sieve starts with values of g(x). Every time that each g(x) 
is divisible by a prime in the factor base, we replace the current value of g(a) with its 
quotient by that prime. By the time we are done sieving values of g(x) through the factor 
base, those that are left with value of 1 are B-smooth. Instead of using division, we can 
subtract: log p from log(x* —n) each time p divides the corresponding g(x). By the end 
of the sieving process, such smooth g(a) will have value close to zero. Continued from 


2 _» that completely factor 


the example above, we find the following values of g(x) = « 
over the factor base after the sieving step: 

139 = 2 x 3° x 23 

148 = 3? x 5? x 17 

158 = 34x 5x 17 

166 = 3° x 13 

185 = 2 x 3° x 13 x 23 

192 =5 x 13x 17? 


198 = 58 x 132 
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2.7.3 Linear Algebra 


After the last step, we should have a collection of g(x) values that factor com- 
pletely over factor base. The goal of this next step is to use linear algebra to find a subset 
of these values such that their product is a square. Similar to what was mentioned earlier 
in section 2.6, each g(x) if factored completely, can be expressed as: 


€. 
g(x) = pt? X py? X ++ X Decay 


The factorization of each value g(x) is recorded as: 


v(a) at (e1, €2, oe »€n(B)) 


Where ¢; will be 0 if it is even, 1 if it is odd. Therefore each g(x) is represented as 
a sequence of 0’s and 1’s. For example, if our factor base is {—1,2,3,5, 13, 17,23} and 
g(x) = 2 x 5° x 13 then it is represented as (0,1, 0,1, 0,0, 0). 

Finding a subset of g(x)’s such that their product is a square is therefore the 
same as finding those with their corresponding exponent vectors adding up to 0 (mod 
2). The problem boils down to finding linear dependency in the set of vectors. We need 
to find more values of g(x) than the number of elements in the factor base in order to 
ensure the dependency. If the bound for the smoothness is B, then 7(B) + 1 B-smooth 
values of g(x) would be sufficient. The task at hand now is to set up the matrix formed 
with these vectors. 

Denote the matrix we are going to form by A. The rows of the matrix will be 
binary exponent vectors corresponding to the 7(B)-+-1 values of g(a) that are B-smooth. 
Whereas the columns correspond to primes in the factor base. Notice. that the first 
column of zeros that corresponds to positve signs of seven values of g(x) is omitted for 
easy computation. All we need to do now is to look for x such that ATs = 0. This 
problem can by solved by Gaussian elimination of the matrix A. 


The matrices corresponding to the above smooth values of g(z) are: 
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te O04 
000010 
001010 
A=|}000100 
110101 
001101 
001000 
1000100 
1000100 
yru| 9910011 
0001110 
0110000 
1000110 


100010 0 
0111090 0 
0010011 
000111 0 
00000190 
00000 00 


Assigning values to free variables, one of the solutions that we come up with is 
(0,1,1,0,0,0,1)? which implies that the sum of the second, third and seventh columns is 
zero. Therefore, from the solution we can tell what linear combination of the g(x)’s would 
give us the square, namely 148 x 158 x 198 = (33 x 5 x 3x 17 x 13)*. Another solution 
that we have is (1,0,0,1,1,0,0)", corresponding to 139 x 166 x 185 = (2 x 3° x 13 x 23)?. 


2.7.4 Factorization 


2 


Up to this point, we have found a subset of g(a) = «* — n, whose product 


(x? —n)(x3 —n)--- (a? —n) is a square. From the exponent vectors of the 2? ~n, we can 
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calculate the prime factorization of the product (x? — n)(x3 —n)--- (zz —n) and therefore 
(aj — n)(xz —n)-+- (aR —n). 


Denote a = ,/(x? — n)(22 — n)--- (a? —n) (mod n) and 6 = 2122°+-2_ (mod 


n). We have a? = b? (mod n). If a # +b (mod n), then n can be factored by gcd(a—b, n). 


From the above example, corresponding to the solution (1,0, 0, 1,1,0,0)7 we have: 
g(139) = 139? -n =2 x 33 x 23 

9{166) = 166? -n = 3° x 18 

g(185) = 185? -n =2 x 3° x 13 x 23 


a = \/(139? — n)(1662 — n)(185" — n) (mod n) 
a=2x 36 x 13 x 23 (mod n) 
a = 2046 (mod n) 


b = 139 x. 166 x 185 (mod n) 
b = 2046 (mod n) 


Unfortunately, a = b mod n, so we cannot find the nontrivial factor of n by comput- 
‘ing gcd(a — b,n). Corresponding to the other solution (0, 1,1,0,0,0,1)" above, we have: 
g(148) = 148? — n = 3? x 5? x 17 

g(158). = 158? -n = 34x5x17 

g(198) = 198? —n = 5% x 18? 


a = 1/ (1482 — n)(158? — n)(1982 — n) (mod n) 
a= (3° x 5° x 18 x 17)? (mod n) 
a = 4636 (mod n) 


b = 148 x 158 x. 198 (mod n) 
b = 1808 (mod n) 


Since a 4 4b mod n, n will then be factored by computing gcd(4636— 1808, 18079) = 101. 
Therefore 18079 = 101 x 179. 


19 


2.7.5 Large Prime Variations and Multiple Polynomials 


Among many suggestions for improvement, the two refinements that have been 
proved to improve the running time are the large prime variation and the multiple poly- 
nomial version [Bre89]. 

Based on the idea that if we remove all the primes up to B in the factorization 
of a number, the remaining factor of that number is a prime provided it is less than B?. 
With that in mind, we can utilize those numbers that are almost B-smooth except they 
have one slightly larger prime than B. The easy way to get rid of that large prime factor 
is to pair it up with another number with the same large prime factor. As a result, it 
is necessary to keep track of the large prime factors. If it just appears once, we discard 
it since we cannot use. it to make a square. Notice that allowing one large prime in the 
interval (B, B?] for this variation is not the same as increasing the smoothness bound to 
B?. As a result we should not view this type of number as having long exponent vectors. 

Suppose we have a pair of z? —n values that satisfy the above condition, namely 
a? —n = [[p%P(mod n), 23 — n = T[ p%P(mod n) where B < P < B? and p; < B. 
Then (a122)? = [[ p%**P? (mod n}. Since the exponent vectors are reduced mod 2, 
the contribution of P* to the exponent vector doesn’t matter because it is reduced to 0 
anyway. Therefore(z{—n) (a2 —n) can be thought of as B-smooth. Since it is hard to find 
the second large prime to match up with the first one, it is wise to set the limit for the 
range of the interval where the large prime will be kept, for instance (2B, 20B] or (B, 100B]. 
From the above example, we could have paired (1777 — 18079) with (1417 — 18079) to 
produce a smooth number. Since 1772—18079 = 2x5? x53 and 1417-18079 = 2x 17x53, 
their product contains all small factors smaller than B = 40 except 537. The contribution 
of the factor 53? does not affect the smoothness of the product since it will be reduced 
to 0 mod 2 in the exponent vector. 

There is also double-prime variation. The single prime variation is based on the 
idea that if an integer in the inteval (1, B?] has all the prime factors larger than B, then it 
is the prime, while the double-prime version works with numbers in the interval (B?, B°). 
Once we remove all the prime factors up to B and the remaining unfactored portion 
exceeds B* then a test can be done to decide whether the unfactored portion is a prime. 
Denote the unfactored portion Q@. We can find out whether Q is a prime by checking 
whether 2°"! = 1 mod Q. If it does, then there is a good chance that Q is a prime. Q 
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will be a too big to be valuable anyway; therefore it will be discarded. If Q can be shown 
to be a composite, then it will be factored using some of the previous simple methods. 
Suppose Q = gq * gz. Suppose there is some 4? — n that is almost B-smooth except for 
two prime factors larger than B, namely qi and go. The goal is to search for some other 
x? —n that uses qi, q2, or both. For example, suppose the factorizations of some x? — n 
are: 9151, qaSe , 919253 where 51, S2,$3 are B-smooth. Notice that the product of the 
above factorizations is g#q?$15253 which may be considered to be B-smooth since the 
prime factors above B have even exponents. 

The second improvement is due to Peter Mongomery [Bre89]. Based on the idea 
that the smaller 2? —1n is , the easier it will be smooth. Therefore we want to keep 2? —n 
close to zero by starting x from [,/m|. But as z values move away from |,/7], it is hard 
to find «? — n smooth since it gets big rapidly. The multiple polynomial variation takes 
care of this problem by using many polynomials instead of just 2? — n. Basicly we just 


replace x with a linear function of 2. The suggestion is to look at polynomials of the form 
f(z) = ax” + 2bx +e 
where a,b,c are integers with n = b* — ac. Then 


ax f(z) = a?2? + 2abr +ac 
= a7y? +. 2absr -+- bb? — n 
= (az +b)? —n 


Notice that if p is a factor of f(x) then p | (az + 6)? — n or 7 is a quadratic 
residue modulo p. Therefore the factor base consists of the same elements as in the basic 
Quadratic Sieve algorithm. It is nice that we can use various polynomials without having 


an affect on the factor base. Also since 
(az +b)? -n=ax f(z), 


instead of evaluating (az -|- b)? — n for smoothness, we can deal with a x f(z). Haisa 
square times a B-smooth number and f(z) is B-smooth, then a x f(#) can be thought of 
as B-smooth especially when its exponent vector is reduced modulo 2. Finding values of 
f(x) that are B-smooth is a matter of keeping f(#) small. This depends on the choice of 


a,b,c and the sieving interval. We decided at the start that we only want to sieve over 
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the interval of length 247. In order to make the interval of length 2M fall precisely on 
[—M, M], we choose | b |< da. 

Note that the minimum value of f(x) is achieved at « = —b/a and the corre- 
sponding value of f(z) at that point is f(z) = f(—b/a) =n/a. The values of f(x) at the 


end points are: 
f(—M — b/a) = f(M —b/a) = aM? — n/a (2.1) 


Setting the above values equal to each other, we have n/a = aM? — n/a or a = V2n/M. 
Therefore, by choosing a = /2n/M we can force the range of f(z) to be small for values 
of x in our sieving region. Next, choose b to be the solution of the congruence b? = n(mod 
a)with | b |< $ and c = (b?—n)/a. We now have all the coefficients a, b, and c, and we can 
form the function f(x) = az? + br +c. A suggestion is to take various p = (2n)/4mM1/2 
with (5) = 1, and choose a = p*. With that selection of a, it satisfies the requirement 
for a that it has to be a product of a square and B-smooth number and a = /2n/M. 

Once we found the function f(x), for each p in the factor base with (5) = 1, we 
need to solve the congruence az” + bz + ¢ = 0 (mod p) since we will proceed with the 
sieving like before to look for B-smooth values of function f(x). This process of finding 
roots for the congruence is referred to as the initialization problem since it can be very 
time-consuming. Especially when we use various polynomials, this method may not turn 
out to be as advantageous as we thought. 

Pomerance came up with the solution called self initialization to save the running 


time for the polynomial switching process. Let’s look at the roots for the congruence 
f(x) =0 ( mod p) 
[(aa +b)? — nja~! = 0 ( mod p) 
(az +b)? =n ( mod p). 
Let t(p) be a squareroot of n (mod p). Then (a + br) = +t(p) or 
a =(—b + t (p))a7*(mod p). 


If a has k distinct factor primes, then there are 2-1 choices for b based on the 
way b is chosen, namely b? = n(mod a). If we choose a = p” as mentioned earlier, then 


there is only one choice for 6 subject to the constraint that | b |< 4. Whereas if we choose 
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a to be a product of ten primes then there will be 2° choices for 6. Taking advantage of 
this, we can save time finding solutions of so many polynomials by using the same value 
of a. So for each value of a which is a product of 10 primes, we only need to compute 
t(p) once but we can use it for 2? polynomials. 

There is another advantage to using polynomials other than 2* — n. If a is 
approximately /2n/M then by (2.1), f(z) = az? + 2ba +c is bounded by (MJ/n)/V2 
on the interval [—M, M]. In contrast, z? —n is bounded by approximately 2M./n on the 
interval [,/n - M,,/n + M]. The absolute value of f(s) is therefore smaller in the first 
case by a factor of 2\/2. Being able to keep the values of f(z) down is an advantage since 
it is more likely to be smooth. 

Perhaps the best reason to use multiple polynomials is that the sieving can be 
done in parallel on different processors. Each machine is in charge of doing the sieving 
for its own polynomial. With this method, A.K. Lenstra and M.S. Manasse were able 
to factor 100-digit integers sucessfully using roughly 400 computers around the world for 


the sieving process. 
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Chapter 3 


General Number Field Sieve 


3.1 General Idea 


Similar to both Dixon’s method and the Quadratic Sieve, we try to factor n by 
using the plan of Fermat. That is, by finding a solution to z* = y*(mod n). But in the 
Quadratic Sieve we only need to work with one side of the congruence since the other side 
was already a square. In the General Number Field Sieve, we are going to find squares 
from both sides of the congruence. This results in a substantial savings in work, allowing 
us to factor even larger numbers. 

Basicly we work with a homomorphism map from the ring Z[a] to Z, where a 
is the root of some monic and irrreducible f(x) of degree d > 1 in Z[z]. It will help to 
have d odd, usually d = 5 as will be explained later. We do not need to compute the 
complex number a numerically, all we need to know is @ stands for one of the roots of f. 
An element in Z[a] can be written in the form 327} aja’. Suppose that m € Z satisfies 
f(m) =0 modn. We have a natural ring homomorphism yg: Z[a] + Z/nZ which is 
induced by (a) = m (mod n). Therefore, p ( 37; aia" )= )°,aym! (mod n). For this 
method, we only consider elements in Z[a] of the form a — ba. 

The main goal is to find a non-empty set S of pairs (a,5) of relatively prime 


integers such that we have the two following equations: 


I (a — bm) = v is a square in Z (3.1) 
(a,)eS 
II (a — ba) = 7 is a square in Z[a] (3.2) 


(2,b)eS 
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Let u € Z and y(7) = u(mod n). Then u? = o(7)o(7) 5 97) = o(TIaayes(@ — ba))= 
Ilta,yes(@ — 6m) = v?(mod n). If u and v are known, then as in Fermat’s method we 
have a 50-50 chance of factoring n by computing gcd(u—v,n). Although this is the basic 
idea, we will have to modify this plan later. 


3.2. Polynomial Selection 


The first thing we need to do to factor a positive integer n with the Number 
Field Sieve algorithm is to find some monic polynomial f of degree d in Z[z] and an 
integer m such that f(m) = 0(mod n). We want m, as well as the coefficient. of f, to 
be as small as possible. Experimentally, the choice of d=5 is acceptable for an integer 


n of around 130 digits. One method goes as follows. Set m = |n!/#| and write n in base m: 


n=mi+cq mt! 4+..-+e ,0<a<m. 


Replacing m with 2, we have a monic polynomial f(x) = 24 + cg_yxz?-? + -++ + ¢p for 
which f(m) = 0(mod n), since f(m) =n, and whose coefficients are on the order of ni/¢, 
This polynomial is monic but may not be irreducible. If we have nontrivial factorization 
f(z) = g(z)h(2) in Z[z] , then n can be factored by n = g(m)h(m) and we are done. If 
f(x) is irreducible, we proceed to the next step. 

For example, the m-base expansion of n = 44, 831 isn = 8° +2-84+7-8344- 
8?+3-8+7. This expression yields f(x) = a° + 2x4 + 723 + 4x7 + 382+ 7. 


3.3 Sieving 


The main goal of this step is to find a set T of pairs (a,b) such that both a— bm 
and a—ba are smooth. The “smooth” concept will be defined momentarily in the context 
of Z[a]. The set T will be constructed from sets T; and J» which are collections of pairs 
(a, b) such that the numbers a — bm and a — ba are smooth. 
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3.3.1 The Rational Sieve 


The purpose of this step is to find a set J which is a collection. of a—bm numbers 
that are y smooth where the parameter y will be chosen depending on n. 

Let U = {(a,b) | a,b € Z, ged (a,b)=1, | a |< u, 0 <| b |< u.} 
The number u will be chosen later and will depend on n. It has to be sufficiently big 
enough so that the set U contains a set S satisfying (3.1) and (3.2) simultaneously. For 
the moment we only focus on the rational side of finding a set (a,b) such that a — bm is 


smooth. Denote this set by Tj, 
T, = {(a,b) € U : a— bm is y-smooth.} 


This set will be referred to as the rational base. Recall that an integer is y- 
smooth if all of its prime divisors are less than or equal to y. A prime p divides a — bm 
if and only if a — bm = O(mod p), and therefore a = bm(mod p). The sieving procedure 
starts with an array of numbers a — bm for fixed integer b € (0, u] and lets a range over 
the interval [—u,u]. For each prime p < y, we identify those values of a — bm satisfying 
a = bm(mod p). As in the Quadratic Sieve, once such a pair is found, the value of a— bm 
will then be divided by the highest power of the prime that divides it, and the quotient 
will then replace the location of a — bm. Then the value of a is immediatly increased by 
p to give the next location where p | a — bm. By the end of the procedure, we scan for 
locations with 1. Such locations correspond to a number @ — bm that is y smooth. As in 
the Quadratic Sieve, we can speed up the sieving process by initializing the array with 
In(a — bm) instead of a — bm, to subtract In(p) instead of dividing by p. By the end of 
the procedure, we would look for values of 0 = In(1) instead of 1. 


3.3.2 The Algebraic Sieve 


In this step, we want to find a set To of pairs (a,b) such that a — ba is smooth. 
An element a — ba € Z{a] is y-smooth if its norm N(a — ba) € Z is y-smooth. Let’s 
define the norm of an element of the form a — ba. Let a;---ag be the complex roots of 
the irreducible polynomial f(x). Then (a—ba)--++(@—bag) are the conjugates of a—ba. 
Define the norm by 
N(a — ba) = (a — bay) +++ (a — bag) = b4(a/b — a1)--- (a/b — ag) = b*f (a/b) since 


f(z) = (@ — a1) (@ — a2) --- (@ — aa). 
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So the norm of a — ba is the same as substituting @ and b for x and y in the 
homogeneneous form of f, which is: F(x,y) = 2¢ + cf1a4-ly +... + egy? = y@f(a/y). 
Therefore, N(a — ba) = F(a,b). For products of numbers of the form a — ba, we define 
the norm by N(zy) = N(z)N(y). It is easy to check that this is well-defined. 

The norm N(a— ba) € Z is y-smooth if its prime divisors are less than or equal 
to y. As a result, we want to keep track of small primes p such that p | N(a — ba) or 
N(a—ba) = 0(mod p). Let r = ab—!, Since N(a—ba) = F(a, b) = b* f (a/b), p is a divisor 
of N(a—ba) when f(r) = 0(mod p) or a = br(mod p). Denote R(p) = {r € [0, p—1] such 
that f(r} =0 mod p}. The set R(p) is computed for each prime p in the factor base. 

Similar to the rational sieve, we want to find a set J which is a collection of 
pairs (a, b) such that a —be that is y-smooth. This set will be referred to as the algebraic 
base. 

T, = {(a,b) € U : a— ba is y-smooth}. 


We start an array with the numbers N(a— ba) for each fixed b and let a vary in 
the interval [—u, u]. For each p < y and each r © R(p), values of N(a@ — ba) that satisfy 
a = br(mod p) will be identified. The value of each N(a— ba) will then be divided by the 
highest power of the prime that divides it, and the quotient will then replace the entry 
for which the number was retrieved. Any location that contains the number 1 at the end 
of the procedure corresponds to a number e — be that is y-smooth. Just like the above 
section, we can use the approximate logarithms to speed up this process. Once a pair 
(a, 6) is identified, we increase a by p to get the next value of where p | N(a— ba). 

Up to this point, we have found collections of J, and Ty such that a — bm and 
a—ba are smooth respectively. In reality, the sieving process is set up in a way that both 
arrays (a — bm) and N(a — bm) are working side by side. Pairs of (a,b) that are found 
by the end of the process that will make both (a — bm) and N(a — ba) smooth. Denote 
this set by T = T, MZ». This process is harder than the Quadratic Sieve since we need 


the same (a, 5) from both sieves. 


3.4 Obstructions 


There are many issues regarding this construction of a square in Z[a]. First of 


all, it is possible for an element of Z[a] to be a perfect square in J but not in Z[a}. Here, 
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I is the ring of algebraic integers in the algebraic number field Q[a]. That is to say I 
consists of elements of Q[a] that are the root of some monic polynomial in Z[z]. J is aiso 
known as a Dedekind domain which is an integral domain in which every nonzero proper 
ideal factors into a product of prime ideals. The following lemma is important since it is 


a handy tool to get an element in Z{a] from an element in J. 


Lemma 10. Let f(x) be a monic irreducible polynomial in Z|x], with roots a in the 
complez numbers. Let I be the ring of algebraic integers in Q(a), and let @ € I. Then 
f'(a)B € Z{a].[CPO1] 

So insteading of searching for [](_,,¢5(@ — ba) to be a square in Z[a], we can 
get away with having that product to be square in J, namely y?. Using Lemma 10, we 
have f’(a)y is in Z[a]. Therefore, f’(a)? T](a,s)es(@ — ba) is a square in Z[a]. 

Note that this changes our basic plan, as explained in 3.1. Our old plan was to 
find [[(a — bm) to be square in Z and [[(a — 6a) to be a square in Za]. Since f and 
m are constructed by the base m algorithm, f(m) = n or 1 < f’(m) <n and also we 
can assume that ged(f/(m),n) = 1. Therefore, multiplying (3.1) by f’(m)? will give us 
f'(m)? [[(a—bm) which is a square in Z. Our new plan will be to find f’(m)? [](a—bm) 
a square in Z and the corresponding f'(a)* [[(@ — ba) a square in Z[a]. To do this, it is 
sufficient to force the product [](a — ba) to be a square of an algebraic integer. 


3.5 Exponent Vectors 


The main goal of this step is to find a non-empty set S of coprime integer pairs 
that satisfy both (3.1) and (3.2) simultaneously. In order to achieve this, we use linear 
algebra together with the rational and algebraic factor bases to locate S c T. For a 
number to be a square, all the primes in its factorization have to have even powers. Let 
B = a(y) where r(y) denotes the number of primes up to y. Suppose there are more than 
B+1 elements in 7, with the choice of parameters vu and y , we can use linear algebra to 
find a dependency over F). If w is a y-smooth integer, then w = [], p{',0 <i < B. The 


exponent vector e(w) is defined by : 
e(w) = (eo (mod 2), e1 (mod 2), ....eg (mod 2) ) 


The product of all the numbers w is a square when S> e(w) = 0 € F2*?. With the same 


idea, we can combine B +1 values of a — bm which are y-smooth, forming e(a — bm). 
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We can then find a non-trivial linear dependence relation with coefficients 0 and 1. The 
product JT(q,s)¢5(@— 6m) is a square in Z when we find 91, jeg e(a — bm) = 0 in Bee 

In the same manner, we can use the idea of exponent vectors to multiply a set 
of norms N(a@— bm) to find a square. Since different elements in Z[a] can have the same 
norm, it is necessary to keep track of r = ab—! € R(p) for each p that divides N(a— ba). 
For each pair (p, 7}, the exponent e,,-(a — ba) is defined to be the number of factors p in 
the factorization of N(a — ba) if a = br(mod p). If a # br(mod p), then epe(a — ba) is 


defined to be 0. Therefore,we have: 


N(a— ba) = I] perr(a—ba) 
Dr 

As an example, consider f(z) = x? +3, with B =5. Then R(2) = {1},.R(3) = 
{0}, R(5) = {@}. We consider three pairs (a,b) such that their norms F(a,b) are 5- 
smooth. These pairs are: F(1,1) = 4 = 2?, F(3,1) =12 = 2?-3, F(3,—1) =12 = 22.3. If 
we only went by these prime factorizations, then we might choose (3+-i)(3—7) whose norm 
12? is a perfect square. But this would not give us what we want because (3-+i)(3—i) = 10 
is not a square. We can also tell that (3 +-i)(3 — 7) is not a square based on the sum of 
their exponent vectors. 

Component vectors of 5-smooth members corresponding to the two pairs (p,1r): 
(2,1), and (3,0) are: 


F(1,1) = 4 has the exponent vector (2,0) 


Since first of all we want to check whether a = br mod p with (a,5) = (1,1) and 
(p,r) = (2,1). Because the answer is yes, then the exponent vector of e21(1 — a) is the 
exponent of 2 in the factorization of F(1,1) = 4. 

Next we do the same for e39(1 — a). Since a # br mod p with (a,b) = (1,1) 
and (p,r) = (3,0), the exponent in this case is 0. This gives F(1,1) an exponent 
vector of (2,0). Similarly, F(3,1) = 12 has the exponent vector (2,1), and F(3,—1) = 
12 has the exponent vector (2,0). . 

Since the sum of the exponent vectors modulo 2 of (3 +4), (3 — 2) is (0,1), it 
allows us to see that their product is not a square. At the same time, even when we have 
Dates €pr(@—ba) = O(mod 2), there is no guarantee that the product of corresponding 


norms will be square in Z[a]. In the above example, we have the exponent vector of 
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F(1,1)F(3, -1) is (0,0), yet (1 +- 4)(3 — 2) = 4+ 2% is not a square in Z[é}. Similarly, 
the converse of the following lemma is a necessary but not sufficient condition for the 
product of (a — ba) to be a square in Z[a]. The extent to which the converse fails will be 


supplemented with the use of quadratic character base which will be discussed later. 


Lemma 11. Jf S is a set of coprime integer pairs a,b such that each a—ba is y-smooth, 
and if Thre,tes(@ — ba) is a square of an element in I, the ring of algebraic integers in 
Qla], then 


ys €p,r(a — ba) = 0(mod 2). 
(a,)ES 


We still have obstructions, since converse of Lemma 11 does not hold. That is, 
the sum of our exponent vectors might be zero and still not have a square in J. This 
can be overcome with the use of quadratic characters. This idea is due to Adleman and 
based on the Legendre symbol. If p is an odd prime and if (2) = 1, then a is a quadratic 
residue modulo p. Similarly ) = —1l, if a is a quadratic nonresidue modulo p. Both 
occur with equal likelihood. So if a is a square, then for any odd prime p we have (2) = 1. 
Although the converse of the above statement is not true, we just want to apply the idea 
probabilistically. Suppose X is a finite set of k odd primes and @ € Z. Suppose also 
that (3) = 1 for each prime in X. The probability of a not being a square is about 
2-*. Therefore, if & is large and if (§) is always equal to 1 for primes p € X, then a has 
high probability of being a square. We want to incorporate this idea with the algebraic 


integers a — ba through the following lemma. 


Lemma 12. Let f(x) be a monic, irreducible polynomial in Z{x] and let a be a root of 
f in the complex numbers. Suppose q is an odd prime number and s is an integer with 
f(s) = 0(mod gq) and f'(s) # 0(mod gq). Let S be a set of coprime integer pairs (a,b) such 
that q does not divide any a— bs for (a,b) € S and f'(a)? Ilapjes(@ — bax) is @ square in 
Za] . Then 


Ul (a) as: 


abjes 7 
Just as Lemma 1], the result of this theorem alone is a necessary but not 
sufficient condition to test for squareness in Z[a]. For those pairs (a,b) that satisfy 
Lemma 11 and Lemma 12 simultaneously, there is a good chance that the product of 
a — be is a square of some element in the algebraic ring J. Pairs of (q, s) satisfying lemma 


12 are referred to as character base. 
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| 
3.6 Matrix and Linear Algebra | 


After section 3.3, we found T = T; N Z> such that: : 


T = {(a,b) : ged (a,b) = 1, |a| < u,0 <b < u, (a — bm) and N(a — ba) are y-smooth } 


define 

B= ny) 

B' = #{(p,r) : p is a prime number, p < y,r € R(p)} 
BY = [ 3(logn)/ log 2] 

Each column of the matrix corresponds to binary vector €(q,») for each pair (a, b) 
and has entries as follows: the first entry would be the sign of a — bm where the entry 
will receive 0 if a — bm is positive and 1 if it is negative. The next B entries would be the 
exponents modulo 2 of all the primes up to y in the factorization of a — bm . The next 
BY’ entries would be exponents vectors as described in section 3.4. The next B” entries 
are determined by (#228) as (gq, $) runs over the character base. The corresponding entry 
to each pair (s,g) would be 0 if (#8) = 1 and 1 if (#48) = —1 

If enough (a,) pairs are found such that they exceed 1+ B+ B’+ B” then 


the vectors e(a,b) for (a,b) are linearly dependent. Therefore a nonempty subset S of 
T has been found such that Dy,y<¢9e(a,6) = 0 in FT8+8+P", Such S will make 
Tae £’(m)?(a — bm) and f(a)? TIe,yes(@ — ba) perfect squares in Z and Z[a] re- 
spectively. 


3.7 Square Root in Z/a] 


Up to this point we have found a set of S of coprime integer pairs (a,b) such 
that f/(a)? Tajeg(@ — ba) = 7" for y € Za] and f’(m)? Tas)es(@ — bm) = v. Notice 
that this y and v are slightly different from those in (3.1).and (3.2) because'of the reasons 
that we discussed in 3.5 above. Suppose there is an integer wu such that p(y) = u(mod 
n). Then u? = [y(y)}’(mod n) or u? = ¢[f’(a)? Ta,nyes(@ — 62))(mod n). Then u? = 
Lf’)? T1¢0,8)¢g(@— bm)] (mod n) or u? = [f/(m)u]?(mod n). Therefore with a probability 
of approximately to i, gcd(u — f’(m)v,n) will be a non-trivial factor of n.| Since v € Z, 
we would not have a problem taking square root of f’(m)? J] (a — 5m) =! v? to find v 


especially when we are only concerned with the residue v(mod 7). Actually we already 
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have [|(a — bm) expressed as a product of primes to even powers, so we can find uv by 
cutting these powers in half, then multiplying by f’(m). Unlike taking square root: of v?, 
trying to take square root of y? in the number ring Z[a] is by no means easy because 
we are dealing with a very big number and we cannot take advantage of the medulo n 
property to simplify the problem. 

There are several methods of dealing with this part of the Number Field Sieve. 
One of the approaches is suggested by Couveignes 1993 [BLP93]. We have -y” represented 
as an element of Z[a]  Z[x]/ f(x). By reducing the coefficients of this polynomial modula 
p (where p is an odd prime) we create a perfect square in Z,[2]/f(z). This perfect: square 
in Z,[x]/ f(z) may have several square roots. One of them will have the coefficients of 
y modulo p. That is the one we want. If we can determine the coefficients of y(mod 
p) for enough primes p, then we can use the Chinese Remainder Theorem to recover 7. 
We start by choosing odd primes p such that f(«) is irreducible modulo p. This causes 
Zplz]/f (xz) to be a finite field. Since there are at most two square roots of an element of 
a field, this limits the number of square roots that we have to distinguish. 

First of all, we want to solve for y (mod p) (that is for the coefficients of 7 
modulo p). For the time being, we are going to focus on how to compute square roots in 
a finite field. We are going to use concepts of quadratic residue and quadratic non residue 
together with an extension of Euler’s criterion and the Sylow 2-subgroup to achieve what 


we want. 


Definition 3.1. Let Fx be a finite field with p* elements where p is an odd prime. An 
element T € Ex is called a quadratic residue if there is an element 6 in En such that 


6? =T. It is called quadratic non-residue otherwise. | 


Theorem 13. (Euler’s Criterion) Let Fx be a finite field with ps ashes where p is 
an odd prime. An element Tt € Fx is a quadratic residue if and only if 7-1/2 = 1 and 


is a quadratic non-redisue if and only if 7®*-1)/2 = -1. 


Consider the finite field Fx of size p*. Denote p* = gq. Since| p* is odd, p* — 
1 = q—1 can be expressed as 25¢ where ¢ is odd. Let 7 be a quadratic residue and 
(r=) = 7'+1 = s'7, We conclude that 7? is a quadratic residue in i. Then there 


exists an element c € F%, such that c? = r*. Notice that the square root of + can be 
p* ; 


| 
| 
| 
| 
: 
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1 


ffl ii: 
expressed as 772 c~° since 


(st 71)? = (716-2) = tht = 5, 


Our immediate goal now is to find c from c? = r'. We are going to show such 
an element c has order dividing 2° and belongs to Sylow 2-subgroup Sg. of Fy. Since r 
is quadratic residue, (F) = 1. Using Euler’s Criterion for the quadratic residue r: 


qe =1 

7a =1 

get) 
(rt = 1. 


Therefore 7* has order dividing 2°—! and so does c” since c* = 7‘. It follows 


that c has order dividing 2°. From abstract algebra we know that: every element of the 
Sylow 2-subgroup 59> has order dividing 2° and vice versa. We also notice that if g is 
a quadratic non-residue in F*,, then gr =-1, ge = —1, and g”” “* = -1. Then 
(gt)}?”"* = -1 so (gt)?” = 1. Then gt has order exactly 2°. Therefore g¢ is a generator 
of the Sylow 2-subgroup S25. In particular, the Sylow 2-subgroup S9. will look like 
{1, gf, g*,--- ,g@’-*}. Since half of elements in F*, are quadratic non-residues, a direct 
search for such g will end quickly. Once we find a quadratic non-residue and generate the 
Sylow 2-subgroup, we can search for an element c whose square is equal to r*. Once c is 
found, a square root of 7 is just 7S e7?. 

For our purpose, the 7 we are interested in is the reduction of y? € Z[z]/f(z) 
modulo p. The problem we face is that we have two square roots -y; for each prime p;. 
We need to determine which of these two square roots gives the coefficients of -y modulo 
pi. Earlier, we defined the norm of an element in Z[x]/ f(x). We can apply the same 
definition to get. the norm of an element in Z,[x]/ f(x). If we start with an element p in 
Z[x]/ f(x), then reduce the coefficients of the polynomial modulo p, we get an element v 
in Z,|2]/ f(x). In this case N{v) will just be the reduction of N(j) modulo p. We notice 
that, by definition, N(—1) = N(—14-0a) = (-1)4 = —1. If d is odd, as was promised 
from the start, then N(—a) = N(—1)N(x) = —N(a). Therefore the two square roots of 
7 can be distinguished by their norms. 
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Now the norm of 7” is known. In fact we have its prime factorization in even 
powers. By cutting these powers in half, we can determine the norm of one of its square 
roots, which we designate as +7. By reducing this norm modulo p, we can then check 
which square root of 7 has the correct norm. Computing the norm of the square roots of 
tT is easy since we can start with a choice of d (the non-residue) whose norm is known. 

At this point we have found the square root + in terms of +; in different finite 
fields. Let’s remind ourselves that our goal is to search for u? and v? where 


v= fim? [] (@-om) 


(a,bJeS 
and u* = y[f'(a)’. II (a — ba)|(mod n). 
(a,b)eS 

with 7? = f’(a)? T]ta,s)¢s(@—ba) and p(y) = u(mod n). Also recall that + is a polynomial 
in Z[z]/ f(z), and that we have access to the coefficients of this polynomial modulo p for 
several values of p. To pass from ‘y to u we need to replace the variable x with the integer 
m. Performing this calculation modulo p will immediately give us the value of u(mod p). 
Therefore, instead of computing y and then applying ¢ to give us u, we can save time by 
going directly after w. 

We can calculate u by using Chinese Remainder Theorem because we have access 
to the system of congruences: 


“= u4(mod pa) 


u = ue(mod po) 


u = ty_1(mod pri) 

Where w is the image of y% under the y mapping such that (7) = ui mod pt. 
Therefore u = ar uja;P; (mod P). Denote roy uja;P; = z, u = z (mod P). There 
is one final problem to overcome. If u is large to start with and z is much bigger than u 
then using z to calculate u could be a problem. Fortunately, we have a different approach 
to calculate u. If we round z/P to an integer r = |$ + 4] then we can have u = z—rP. 


We can calculate r without having to deal with a very large z as follows: 
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This gives us r by computing |% + 4|. Once r is computed, we can determine u modulo 


n by observing that u = z—7rP = S“"2, wa;P; —rP (modn). Then the computation of 
u can be carried out modulo n. 

All we have to do now is find gcd(u—v, n) and there is a 50-50 chance of factoring 
n. If the factorization fails then we don’t have to start the process all over again. Most 
of the work is in the sieving and the linear algebra steps. We can throw out one of the 
smooth exponent vectors that was used in the linear dependency found in section 3.6. 
Then, as long as we did a small amout of over-sieving there should be additional linear 
dependencies remaining. We can find them by repeating the linear algebra step. Most of 
this work can also be saved. So coming up with a fresh pairs u,v is not that difficult and 


gives us additional chances to factor n. 
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